[TUHS] Questions about * and ! in the password field of passwd and shadow

Alan Coopersmith via TUHS tuhs at tuhs.org
Thu Jan 8 08:31:58 AEST 2026 

On 1/7/26 13:26, Hauke Fath via TUHS wrote:
> On Wed, 7 Jan 2026 20:34:39 +0100, Marc Haber via TUHS wrote:
>> Reading historic documents suggestst that ! used to be a notion for
>> "temporarily locked" while * is the notation for "this account never
>> had a password since it was created".
> 
> A while back, I looked into how various OSes set up shadow passwords,
> in a vain attempt to run YP with shadow passwords. AFAIR, neither the
> 4.4BSD derived OSes (NetBSD, FreeBSD), nor Solarish (Solaris*, OmniOS)
> use an exclamation mark in the shadow file's password field.
> 
> * <https://docs.oracle.com/cd/E88353_01/html/E37852/shadow-5.html>

The web hosted version of the man page is a little out of date now - the
version shipped in the latest updates documents the following lock strings
as options for the password field - but none have a ! in:

                    *LK*    The lock string is defined as  *LK*  in  the  first
                            four  (or  only  four)  characters  of the password
                            field if the account was manually locked, by an ad-
                            min running passwd -l.


                    *AL*    Prefix on the password hash when  the  account  was
                            automatically locked due to the number of authenti-
                            cation failures reaching the configured maximum al-
                            lowed. See policy.conf(5) and user_attr(5).


                    NP      Used  to indicate an account is active but not par-
                            ticipating in password authentication. It  can  run
                            cron  jobs  and may be able to authenticate using a
                            method other than a password  hash  stored  in  the
                            nameservice, for example SSH publickey or with Ker-
                            beros.

                            Exempt  from automatic lock out due to failed pass-
                            word authentication attempts. Useful for system/ap-
                            pliication accounts and Roles when roleauth=user is
                            set in user_attr(5).

                            The NP value can be set by passwd -N  or  delivered
                            as the value in a pkg(7) user action.


                    UP      Set  by  useradd(8)  when  the account is initially
                            created, and has yet to have a password set.  Users
                            in the UP state can not authenticate to the system.

                            When an account is delivered via a pkg(7) action UP
                            should  be  used  if the user is intended to have a
                            password assigned later using passwd(1).

-- 
         -Alan Coopersmith-                 alan.coopersmith at oracle.com
          Oracle Solaris Engineering - https://blogs.oracle.com/solaris

More information about the TUHS mailing list